Automated security token administrative services

ABSTRACT

This invention provides a system, method and computer program product to allow a user to access administrative security features associated with the use of a security token. The administrative security features provide the user the ability to unlock a locked security token, diagnose a security token, activate and deactivate a security token, request a replacement security token or temporary password or report the loss of a security token. The invention comprises a client application which integrates into the standard user login dialog associated with an operating system. A portion of the user dialog is linked to a remote server to access the administrative services.

RELATED APPLICATIONS

This application is a continuation of U.S. application Ser. No.13/858,464 filed Apr. 8, 2013 (U.S. Pat. No. 9,215,224), which is acontinuation of U.S. application Ser. No. 13/275,665 filed Oct. 18, 2011(U.S. Pat. No. 8,438,623), which is a continuation of U.S. applicationSer. No. 10/304,958 filed Nov. 27, 2002 (U.S. Pat. No. 8,065,717), whichare hereby incorporated by reference.

FIELD OF THE INVENTION

The present invention relates to a data processing system, method andcomputer program product and more specifically to a system, method andcomputer program product for gaining access to administrative securityservices without having authenticated access to an operatingenvironment.

BACKGROUND

Security token and credential management systems track, monitor andcontrol the state of authentication tokens and credentials assigned tousers. Frequently, the security tokens managed by such systems becomelocked, lost, stolen, damaged, deactivated, or temporarily misplaced bythe user. Many of these issues prevent the user from logging into anoperating system. In other situations, it is useful for the user toobtain diagnostic information related to a security token prior tologging in. The user may also require temporary access to the operatingsystem via some other means because his or her security token is notavailable or is non-operational.

In the relevant art, when a user is unable to gain access to theoperating system due to unavailability of his or her security token, theoptions available to correct the situation usually involves a call to asupport desk, logging into a restricted guest account or somecombination of the two. Present solutions do not offer the user thecapability to access the services of a security token management systemwhile logged out or locked out of the operation system.

The support desk option is problematic in that the user may not be ableto contact the support staff during non-working hours (e.g., nights andweekends) or during traditionally heavy demand periods (e.g., Mondaymornings, following a system interruption, migration to anotheroperating system or software application, etc.)

In certain circumstances, the user may be prevented from accessing anoperating system or reporting a lost or stolen security token for anextended period of time (e.g., Christmas Holidays) which not onlyimpacts worker productivity but may lead to future security compromises.Maintaining a full time support staff can be prohibitively expensive forsmaller organizations.

Guest accounts provide only limited access to system resources andrequire that guest accounts be established and maintained on allcomputers where a potential user may need access to resources whichincreases the risk of introducing security vulnerabilities.

Thus, an automated mechanism which allows a user to restore accessprivileges without the intervention of a support organization is highlydesirable.

SUMMARY

This invention addresses the above cited limitations and provides asystem, method and computer program product for user controlled securitytoken administration.

The invention comprises a local client and a remote server in processingcommunications over a network, each including all functional componentsof a computer system such as associated hardware, peripherals, storagedevices, operating system and applications software. The networkincludes local area networks, wide area networks and wireless networks.

The local client further includes an application which provides accessto a user controlled security token administration application installedon the remote server and also serves as a communications interface witha locally connected security token. The client application is integratedinto the operating system's login access application and user dialoginterfaces for example, msgina.dll associated with Microsoft™ Windows NTand successor products or a pluggable authentication module (PAM)associated with UNIX™ based operating systems. The local client includesnormal desktop and laptop computers and thin clients such as personaldata assistants (PDA), security token equipped cellular telephones andrelated wireless devices.

The remote server is a designated authentication server having a uniqueuniversal resource locator (URL) number, the applications software andstored verification data to implement the invention. An exampleconfiguration is described in a product description sheet, “ActivCard™Identity Management System,” by the assignee of the invention. Theproduct description sheet is herein incorporated by reference.

The integrated login dialog interface provides one-stop access to eitherthe operating system or the user controlled security tokenadministration application. In one embodiment of the invention, aportion of the user login dialog interface is actually remotelydisplayed by the server using HTML, XML or equivalent protocols butappears to the user as a local application. Accessing the usercontrolled security token administration application does not requirethe normal user login procedures but does require the user to correctlysupply at least one credential known or otherwise available to the usersuch as a biometric scan entry, password, PIN, passphrase or responsesto a question and answer session. The credential is used for identifyingthe user and establishing the user's access privileges to services andresources.

To ensure that the user is actually communicating with the proper remoteserver, a host authentication session is performed using public keycryptography methods such as traditional challenge/response or digitalcertificate exchange. Once the server is authenticated to the localclient, the user may be prompted to supply his or her credentials. Oncethe user has been authenticated to the remote server, based oncomparisons to previously stored credentials, the user may initiate oneor more functions including diagnostics of the security token,reactivating or deactivating the security token, requesting areplacement security token, requesting and enabling a temporary passwordor automatically granting access to previously unavailable services andresources.

The administrative application installed on the remote server processesthe user request and performs the functions by sending the appropriatecommand strings and security codes to the security token via the clientapplication to service the request. In situations where a temporarypassword is requested, the newly enabled password is visually displayedfor a limited period of time.

In an alternate embodiment of the invention, the remote server may bereplaced by an internal security token application which is invokeableby the user. In this embodiment of the invention the user performsessentially the same authentication process as described for the remoteserver embodiment but communicates locally with the security tokendirectly via the local client application. Authentication of thesecurity token to the user is performed by visual confirmation or byrecognition of the authentication dialogs occurring between the user andthe security token.

The communications between the local client and remote server isperformed using a secure messaging protocol such as IPsec, SSL, SSH,TLS, WAP or equivalent.

BRIEF DESCRIPTION OF DRAWINGS

FIG. 1—is a generalized block diagram illustrating the invention.

FIG. 1A—is a generalized block diagram illustrating a mutualauthentication session between a client and a remote server.

FIG. 1B—is a generalized block diagram illustrating an alternateembodiment of the invention.

FIG. 2—is a detailed block diagram illustrating a user interface dialog.

FIG. 2A—is a detailed block diagram illustrating the selection of anoption available from the user interface dialog.

FIG. 3—is a detailed block diagram illustrating processing of a requestby the remote server.

FIG. 4—is a flowchart illustrating the major steps for implementing theinvention.

DETAILED DESCRIPTION

This invention provides a system, method and computer program productfor user controlled security token administration without having toestablish an active session.

Referring to FIG. 1, the invention comprises a local client 10 and aremote server 100 in processing communications over a network 110, boththe local client 10 and remote server 100 include user input devicessuch as keyboards 30, 130, and mice 20, 120, displays 40, 140, operatingsystems, applications software 15, 115 and memory storage devices 35,135. The displays 40, 140 may include touch sensitive screens as anotheruser input devices. The local client 10 further includes a biometricscanner 25 as an alternative to memorized credentials (e.g., PINs,passwords, passphrases, question and answer sessions) and a securitytoken 5.

The security token 5 includes security resources and information such ascryptographic keys and algorithms for accessing system resources andservices following authentication of the user. A user authenticationmechanism included in the security token is provided with a changeablesecurity state to prevent fraudulent use of the token. For example, acommon anti-fraud counter installed in security tokens limits the numberof incorrect PIN entries to a predetermined number. If the predeterminednumber is exceeded, the security token is placed in a locked securitystate which requires receipt of specific unlock information in order toreset the anti-fraud counter and regain use of the security token.

The applications software 15 installed on the local client 10 providesaccess to a user controlled security token administration application115 installed on the remote server 100 and also serves as acommunications interface with the locally connected security token 5.The client application 15 is integrated into the operating system'slogin access application and user dialog interfaces such as msgina.dllassociated with the WINLOGON.EXE program included in Microsoft™ WindowsNT and successor products or a pluggable authentication module (PAM)associated with UNIX™ based operating systems.

Communications over the network 110 between the local client and remoteserver is performed using a secure messaging protocol such as IPsec,SSL, SSH, TLS, WAP or equivalent.

The administrative application 115 installed on the remote server allowsa local user to access administrative services related to user accesswithout having to establish an active session with the local operatingenvironment or receive assistance from a support organization. Theadministrative application includes the ability to authenticate the userbased on a supplied biometric sample, password, passphrase, PIN,question and answer session or any combination thereof.

FIG. 1A depicts a mutual authentication cycle between the local client10 and the remote server 100. A user located at the local client 10selects a function from a dialog box displayed on the display 40. Theselection causes the remote server to first authenticate to the clientusing public key infrastructure method. A digital certificate 165 isused as an example in FIG. 1A. Once the remote server 100 has beensuccessfully authenticated, the user either supplies a biometric sample145, or memorized credential 150 depicted as a password PW 160.Equivalent memorized credentials include passphrases, PINs, interactivequestion and answer sessions using the display 40, or any combinationthereof. The results of which are sent to the remote server 100 forauthentication. The received credential is authenticated by comparing155 the received credential to those retrieved from storage 135.

FIG. 1B depicts an alternate embodiment of the invention where access toadministrative services are performed locally using the clientapplication 15 and a token application 175 installed inside the securitytoken 5. As before, the user located at the local client 10 selects afunction from the dialog box displayed on the display 40. The selectioncauses the token application 175 to authenticate the user. The usereither supplies a biometric sample 145, or memorized credential 150depicted as a password PW 160A.

The biometric sample 145 or credential PW 160A is sent 180 to thesecurity token 5 for processing by the token application 175. If theuser is authenticated, access to the security token resources andservices is provided by changing a security state within the securitytoken.

FIG. 2 depicts an example user interface display provides normalauthenticated access to system resources and services 200 or allowsselection of administrative services 205 if the user is unable to gainnormal access. The upper portion of the user dialog 200 is generated bythe local operating system. The lower portion of the user interfacedisplay 205 in the preferred embodiment of the invention is a remote webpage which is displayed locally. The web page may be constructed usinghypertext markup language (HTML), extensible markup language (XML) orvariations thereof In an alternate embodiment of the invention, thelower portion of the user interface display 205 is generated locally andaccesses the remote server application once a selection is made.

Examples of available options include unlocking a locked security token210, diagnosing a security token which may be malfunctioning 215,activating a security token 220, deactivating a security token,requesting a replacement security token 235, requesting a temporarypassword 240, requesting a temporary security token 245 and reportingthe loss of a security token 250. All of the options may be consideredas security states in which the user desires a change. One skilled inthe art will appreciate that other options to suit a particular securityor administrative requirement may be provided as well.

Referring to FIG. 2A, an example session is shown where a user 260selects the unlock security token option 210. A password 255 is thenprovided to authenticate the user to the remote server.

Referring to FIG. 3, the request 305 to unlock the security token issent to the remote server 115 using the secure messaging protocol 315for example, IPsec, SSL, SSH, TLS, WAP or equivalent. The request isprocessed by the remote server application 115 which retrieves 320 theproper function 310 from storage 135. The function 310 is sent to thelocal client application 15 for routing 325 into the security token 5for final processing.

Lastly, FIG. 4 depicts the major steps in implementing the invention.The process is initiated 400 by a user reviewing availableadministrative security functions displayed 405 on a display associatedwith a local client. The user is then prompted to enter a credential410. The user's request and credential are then sent to theauthenticating computer system for processing 415. The authenticatingcomputer system attempts to authenticate the entity 420. Theauthenticating computer system may be a locally connected security tokenor a remote server. If the user is not authenticated 430, processingends 450. If the entity is authenticated 430, the requested service isperformed 440 on a locally connected security token and processing ends450.

The foregoing described embodiments of the invention are provided asillustrations and descriptions. They are not intended to limit theinvention to precise form described. In particular, it is contemplatedthat functional implementation of the invention described herein may beimplemented equivalently in hardware, software, firmware, and/or otheravailable functional components or building blocks. Other variations andembodiments are possible in light of above teachings, and it is notintended that this Detailed Description limit the scope of invention,but rather by the Claims following herein.

1. A system which performs at least one administrative security function which facilitates alternative access to system resources and services comprising: at least one credential associated with a user; a local client in processing communications with an authenticating computer system including; one or more functionally connected user input devices; a user interface means for handling input from and output to said user; means for generating and sending an administrative access request to said authenticating computer system to perform at least one administrative security function, wherein said administrative access request includes said at least one credential; means for mediating said at least one administrative security function between said authenticating computer system, said client and said user; and said authenticating computer system including; means responsive to said administrative access request for performing said at least one administrative security function, wherein said at least one administrative security function includes means for authenticating said user to said authenticating computer system using said at least one credential and means for allowing access to system resources and services, without requiring said user to log on to an operating environment associated with said local client. 2-24. (canceled) 